topic Re: Switch configuration for dmz vlan segregation in Network Security

Switch configuration for dmz vlan segregation

professorguy — Mon, 11 Mar 2019 09:55:57 GMT

I have a 24-port Cisco 2950 on my ASA 5520 DMZ interface. It is segregated into 23 vlans:

interface FastEthernet0/1

switchport access vlan 101

ip address 192.168.101.1 255.255.255.0

interface FastEthernet0/2

switchport access vlan 102

ip address 192.168.102.1 255.255.255.0

...

interface FastEthernet0/24

switchport mode trunk

switchport trunk allowed vlan 101-123

Then there's 23 subinterfaces on my ASA dmz interface:

interface GigabitEthernet0/2

no nameif

interface GigabitEthernet0/2.101

nameif dmz-101

vlan 101

security-level 50

ip address 192.168.101.2 255.255.255.0

interface GigagitEthernet0/2.102

nameif dmz-102

vlan 102

security-level 50

ip address 192.168.102.2 255.255.255.0

...

route outside 0 0

global (outside) 1 <PUBLIC_IP>

nat (dmz-101) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz-102) 1 0.0.0.0 0.0.0.0 0 0

...

The asdm Packet Tracer reports that a client on vlan 109 (192.168.109.101) hitting interface dmz-109 will pass to an outside ip:80 (www). However, when I try to hit ip:80, no joy.

When I scrape off all the subinterfaces and put the switch to a default configuration (every port on vlan 1), it works fine.

What should the switch config look like to actually communicate correctly with the ASA?

Re: Switch configuration for dmz vlan segregation

professorguy — Wed, 04 Apr 2007 14:04:38 GMT

Perhaps a more specific question is in order:

Everything I read says the default gateway set up on the switch must correspond to the interface of the ASA. But the switch can have only one default-gateway while the interface on the ASA has 23 different addresses.

What is the default gateway for the switch?

Re: Switch configuration for dmz vlan segregation

David White — Wed, 04 Apr 2007 16:47:40 GMT

The 'default-gateway' on the switch you are referring to is for the switches' management traffic. (ie: telnet, snmp, etc..) It does not affect through traffic (ie: routed traffic).

The default-gateway should be the interface on the ASA which corresponds to the interface VLAN you are using for management of the switch. By default, that is VLAN 1, but can be changed.

Sincerely,

David.

Re: Switch configuration for dmz vlan segregation

professorguy — Wed, 04 Apr 2007 17:31:57 GMT

Thank you David. That explains the configurations I see on some of our other devices. I have a management VLAN which is the native vlan on our trunks and all point to the same gateway on our core router. Now I understand how to make the DMZ switch report to the NOC as well.

So the default-gateway is not the problem here. What is preventing the communications? Let me recap:

I can ping the client on the DMZ switch from the ASA. I can ping the ASA from the DMZ client. I can ping outside from the ASA. Asdm Packet Tracker reports that packets will route from the dmz client to a web site outside. But the dmz client cannot hit the web site outside (by IP without DNS).

Does anyone have a vlan/subinterface configuration between a switch and the ASA that is working?

Re: Switch configuration for dmz vlan segregation

David White — Thu, 05 Apr 2007 00:26:40 GMT

If the client (I assume located off the switch somewhere) can ping the ASA's IP (which should obviously be on the same VLAN as the client), then you correctly configured trunking on the switch and ASA, and that is not your problem.

Did you set the client's default gateway to be that of the ASA? If so, then the next step is to check the syslogs on the ASA to see if the connection is getting built.

The config you pasted in looks fine. Trying pinging from the client to the ASA's default router, and enable "debug icmp trace" on the ASA and see if you see the ICMP Echo and ICMP Echo-reply packets. That will also help narrow down where the issue is.

Sincerely,

David.

Re: Switch configuration for dmz vlan segregation

professorguy — Thu, 05 Apr 2007 10:55:20 GMT

When I ping the ASA from the client, I can see the connection being built and torn down on the ASA as expected. I can ping the client from the ASA without a problem.

The client gateway is set to the ip address of the vlan on the switch (.1), not the ASA interface (.2). As I think about it though, that can't be right since packets can't have the switch as a destination since as an L2, it can't route them (and a default-gateway on the switch can't work because of the multiple interface problem). I will change this and try again.

Re: Switch configuration for dmz vlan segregation

professorguy — Thu, 05 Apr 2007 11:22:55 GMT

David is now my favorite person.

Much joy. Each port on the switch is a separate VLAN with no inter-VLAN routing. If a DMZ server is compromised, it cannot attack other DMZ servers (at least it'll be harder). Each vlan on the switch has an ip on a subnet, which is on the same subnet as the subinterface on the ASA. Then the client gets a (static) ip on that subnet, but the default gateway for that client must be the ASA subinterface.

Works like a charm! Thanks again, David.

Re: Switch configuration for dmz vlan segregation

David White — Thu, 05 Apr 2007 12:53:34 GMT

Glad to hear it professorguy. Thanks for letting us know!

Sincerely,

David.